Kerberos and Windows 2003 KDC

Unanswered Question
Jul 3rd, 2007

Hi,

I'm trying to configure kerberos authentication for local users on Cisco. KDC is running under Windows 2003, but I got folowing error from debugging:

AAA/BIND(000002D4): Bind i/f

AAA/AUTHEN/LOGIN (000002D4): Pick method list 'default'

Kerberos: All dialogue with KDC will now use default interface as source

Kerberos: Sent TGT request to KDC 192.168.11.14

Kerberos: Received TGT reply from KDC 192.168.11.14

Kerberos: KRB_ERROR (code=52) returned

Kerberos(000002D4): Received invalid credential.

Where I can find those cisco KRB_ERROR codes?

Best regards,

Vladimir

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Tue, 07/03/2007 - 11:19

Hi Vladmir,

It's caused by AD needing to return a particularly large number of groups that a user belongs to, and trying to switch to TCP instead of UDP because of UDP packet size limits

Older versions of Kerberos don't support TCP, and thus don't know what to do.

Hope that helps !

Regards,

~JG

vnovakov Wed, 07/04/2007 - 00:55

Thanks a lot for a quick answer. However, I am still confused how to solve this problem between Cisco and Windows AD.

I would like to use Kerberos to authenticate local Cisco users instead of radius authentication.

Under Windows 2003, I have created the user: cisco1, to be able to create keytab:

C:\Documents and Settings\admin>ktpass /crypto des-cbc-crc /desonly /ptype KRB5_NT_PRINCIPAL /pass PaSsWoRd123 /out cisco.keytab /princ host/[email protected] /mapuser [email protected]

Targeting domain controller: ad01.company.local

Successfully mapped host/cisco1.company.domain to cisco1.

Key created.

Output keytab to cisco.keytab:

Keytab version: 0x502

keysize 68 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL)

vno 4 etype 0x1 (DES-CBC-CRC) keylength 8 (0x233d1f4c91341029)

Account cisco1 has been set for DES-only encryption.

Cisco configuration:

aaa authentication login default krb5 local

username ciscoadmin password 7 ********

username joe password 7 ********

Comment: ciscoadmin and joe users under AD are members of 7 groups and they have different password than local users ciscoadmin and joe under cisco router.

kerberos local-realm COMPANY.LOCAL

kerberos srvtab entry host/[email protected]

kerberos server COMPANY.LOCAL 192.168.11.14

kerberos preauth encrypted-kerberos-timestamp

kerberos credentials forward

Does Cisco kerberos client under IOS Version 12.4(12) using TCP or it's using UDP protocol only?

Regards,

Vladimir

Jagdeep Gambhir Thu, 07/05/2007 - 10:08

Hi,

What kind of users we are trying to authenticate, like VPN or wireless etc ?

Regards,

~JG

vnovakov Thu, 07/05/2007 - 11:15

Hi,

Just a local cisco user that should has access to router and run some set of show commands.

The same username is active in AD.

With radius it's working but swithing to kerberos is making this problem above.

Regards,

Vladimir

Actions

This Discussion